Installer script

.env.example

@@ -1,5 +1,5 @@
 # Required
-JWT_SECRET='your-secret-key-here'
+JWT_SECRET=
 
 # Data directory (default: /var/lib/hypeman)
 DATA_DIR=/var/lib/hypeman
@@ -20,7 +20,8 @@ DATA_DIR=/var/lib/hypeman
 # Caddy / Ingress configuration
 # CADDY_LISTEN_ADDRESS=0.0.0.0
 # CADDY_ADMIN_ADDRESS=127.0.0.1
-# CADDY_ADMIN_PORT=0               # 0 = random port (prevents conflicts on shared dev machines)
+# CADDY_ADMIN_PORT=0               # 0 = random (for dev); install script sets to 2019 for production
+# INTERNAL_DNS_PORT=0             # 0 = random (for dev); install script sets to 5353 for production
 # CADDY_STOP_ON_SHUTDOWN=false   # Set to true if you want Caddy to stop when hypeman stops
 
 # =============================================================================

cmd/api/config/config.go

@@ -88,6 +88,7 @@ type Config struct {
 	CaddyListenAddress  string // Address for Caddy to listen on
 	CaddyAdminAddress   string // Address for Caddy admin API
 	CaddyAdminPort      int    // Port for Caddy admin API
+	InternalDNSPort     int    // Port for internal DNS server (used for dynamic upstreams)
 	CaddyStopOnShutdown bool   // Stop Caddy when hypeman shuts down
 
 	// ACME / TLS configuration
@@ -145,10 +146,12 @@ func Load() *Config {
 		LogLevel: getEnv("LOG_LEVEL", "info"),
 
 		// Caddy / Ingress configuration
-		CaddyListenAddress:  getEnv("CADDY_LISTEN_ADDRESS", "0.0.0.0"),
-		CaddyAdminAddress:   getEnv("CADDY_ADMIN_ADDRESS", "127.0.0.1"),
-		CaddyAdminPort:      getEnvInt("CADDY_ADMIN_PORT", 0), // 0 = random port to prevent conflicts on shared dev machines
-		CaddyStopOnShutdown: getEnvBool("CADDY_STOP_ON_SHUTDOWN", false),
+		CaddyListenAddress: getEnv("CADDY_LISTEN_ADDRESS", "0.0.0.0"),
+		CaddyAdminAddress:  getEnv("CADDY_ADMIN_ADDRESS", "127.0.0.1"),
+		CaddyAdminPort:     getEnvInt("CADDY_ADMIN_PORT", 0),  // 0 = random port to prevent conflicts on shared dev machines
+		InternalDNSPort:    getEnvInt("INTERNAL_DNS_PORT", 0), // 0 = random port; used for dynamic upstream resolution
+		// Set to false if you're likely to frequently update hypeman
+		CaddyStopOnShutdown: getEnvBool("CADDY_STOP_ON_SHUTDOWN", true),
 
 		// ACME / TLS configuration
 		AcmeEmail:             getEnv("ACME_EMAIL", ""),

lib/ingress/manager.go

@@ -174,21 +174,34 @@ func (m *manager) Initialize(ctx context.Context) error {
 		log.WarnContext(ctx, "TLS ingresses exist but ACME is not configured - TLS will not work")
 	}
 
-	// Check if any TLS ingresses have hostnames not in the allowed domains list
+	// Filter out TLS ingresses with hostnames not in the allowed domains list
+	// to prevent Caddy from trying to obtain certificates for invalid domains
+	var validIngresses []Ingress
 	for _, ing := range ingresses {
+		var validRules []IngressRule
 		for _, rule := range ing.Rules {
 			if rule.TLS && !m.config.ACME.IsDomainAllowed(rule.Match.Hostname) {
-				log.WarnContext(ctx, "existing TLS ingress has hostname not in allowed domains list",
+				log.WarnContext(ctx, "skipping TLS ingress rule with hostname not in allowed domains list",
 					"ingress", ing.Name,
 					"hostname", rule.Match.Hostname,
 					"allowed_domains", m.config.ACME.AllowedDomains,
 				)
+				continue // Skip this rule
 			}
+			validRules = append(validRules, rule)
+		}
+		if len(validRules) > 0 {
+			ing.Rules = validRules
+			validIngresses = append(validIngresses, ing)
+		} else {
+			log.WarnContext(ctx, "skipping ingress with no valid rules",
+				"ingress", ing.Name,
+			)
 		}
 	}
 
-	// Generate and write config
-	if err := m.regenerateConfig(ctx, ingresses); err != nil {
+	// Generate and write config with only valid ingresses
+	if err := m.regenerateConfig(ctx, validIngresses); err != nil {
 		return fmt.Errorf("regenerate config: %w", err)
 	}
 

lib/providers/providers.go

@@ -137,11 +137,17 @@ func ProvideIngressManager(p *paths.Paths, cfg *config.Config, instanceManager i
 		}
 	}
 
+	// Use config value for internal DNS port, fall back to default (0 = random) if not set
+	internalDNSPort := cfg.InternalDNSPort
+	if internalDNSPort == 0 {
+		internalDNSPort = ingress.DefaultDNSPort
+	}
+
 	ingressConfig := ingress.Config{
 		ListenAddress:  cfg.CaddyListenAddress,
 		AdminAddress:   cfg.CaddyAdminAddress,
 		AdminPort:      cfg.CaddyAdminPort,
-		DNSPort:        ingress.DefaultDNSPort,
+		DNSPort:        internalDNSPort,
 		StopOnShutdown: cfg.CaddyStopOnShutdown,
 		ACME: ingress.ACMEConfig{
 			Email:                 cfg.AcmeEmail,